b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Integrated Financial System Updates Are\n                  Improving System Security, but Remaining\n                       Weaknesses Should Be Addressed\n\n\n\n                                          March 28, 2013\n\n                              Reference Number: 2013-20-030\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                     HIGHLIGHTS\n\n\nINTEGRATED FINANCIAL SYSTEM                             Connection, providing for data encryption and\nUPDATES ARE IMPROVING SYSTEM                            eliminating security weaknesses in the Citrix and\nSECURITY, BUT REMAINING                                 IFS Windows 2000 environments. With\nWEAKNESSES SHOULD BE                                    successful implementation of System\n                                                        Application and Products Enterprise Central\nADDRESSED\n                                                        Component 6.0, the IRS expects that the IFS will\n                                                        be in compliance with current Federal laws and\nHighlights                                              accounting standards and will address the\n                                                        security weakness related to Oracle database\nFinal Report issued on March 28, 2013                   software.\n                                                        As planned, IFS updates address compliance for\nHighlights of Reference Number: 2013-20-030             specific information technology security controls.\nto the Internal Revenue Service Chief Financial         However, improvements are needed to better\nOfficer and Chief Technology Officer.                   ensure that: 1) remaining IFS security\nIMPACT ON TAXPAYERS                                     weaknesses are adequately addressed and\n                                                        2) system requirements testing consistently\nThe Integrated Financial System (IFS) is the            complies with established IRS guidelines.\nIRS\xe2\x80\x99s core financial system and annually assists\nthe IRS in accounting for approximately                 WHAT TIGTA RECOMMENDED\n$12 billion in operational funds.                       TIGTA recommended that the Chief Technology\nThe IFS was implemented as a major project              Officer work with the Chief Financial Officer to:\nunder the IRS\xe2\x80\x99s Business Systems                        1) apply existing or implement additional access\nModernization Program, but in November 2005             controls to ensure that IFS users are restricted\nthe system was reclassified as Operations and           to IRS employee sensitive data on a \xe2\x80\x9cneed to\nMaintenance funding. For Fiscal Years 2012              know\xe2\x80\x9d basis; 2) implement control checks to\nand 2013, the IRS requested nearly                      prevent IFS users from accessing unauthorized\n$37.5 million to upgrade the IFS. Recently, the         IRS employee accounts or prepare a risk-based\nIRS initiated approximately $10.5 million in            decision and accept the risk; 3) implement\nsystem updates for the IFS that include:                two-factor authentication in a future release and\n1) encryption of graphical user interface traffic,      identify a form of multifactor authentication for\n2) update of the platform with functional               IFS system administrators; 4) ensure that all\nenhancements, and 3) support of a Department            applicable system requirements for IFS test\nof the Treasury mandate for all Federal                 cases include expected results; and 5) ensure\nagencies. The IRS planQHG to complete                   that all IFS testers obtain and maintain\ndeployment of these system updates in                   documentation to verify test case results.\nNovember 2012.                                          In its response, the IRS agreed with our\nWHY TIGTA DID THE AUDIT                                 recommendations. The IRS plans to restrict\n                                                        access to sensitive employee data to only those\nThis audit was initiated to determine whether the       users with a \xe2\x80\x9cneed to know\xe2\x80\x9d basis; evaluate the\nIRS has adequately planned for recent updates           identified low risk to determine if a risk-based\nof the IFS to support long-term goals and to            decision is needed; implement the new version\nmitigate risks in accordance with the Department        of the Secure Network Connection module once\nof the Treasury, IRS, and other systems                 its certification is completed in late 2013; ensure\ndevelopment guidelines. TIGTA evaluated key             that the IFS is included in the current program-\nmanagement controls and processes, project              level mitigation strategy to implement two-factor\nfunding, and system security risks.                     authentication; and link its Rational Quality\n                                                        Manager to its requirements repository so that\nWHAT TIGTA FOUND                                        requirements test management can be properly\nIn July 2012, the IRS implemented the System            documented.\nApplication and Products Secure Network\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 28, 2013\n\n\n MEMORANDUM FOR CHIEF FINANCIAL OFFICER\n                CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Integrated Financial System Updates Are\n                             Improving System Security, but Remaining Weaknesses Should Be\n                             Addressed (Audit 201220013)\n\n This report presents the results of our review of updates to the Integrated Financial System. The\n overall objective of this review was to determine whether the Internal Revenue Service (IRS) has\n adequately planned for Integrated Financial System updates to support long-term goals and to\n mitigate risks in accordance with the Department of the Treasury, IRS, and other systems\n development guidelines. This audit was included in the Treasury Inspector General for Tax\n Administration Fiscal Year 2012 Annual Audit Plan and addresses the major management\n challenge of Modernization of the IRS.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V in the attached\n PowerPoint presentation.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me or Alan Duncan, Assistant Inspector General for Audit\n (Security and Information Technology Services), if you have questions.\n\n\n Attachment\n\n   201320030-Final\n      Report.pdf\n\x0c   TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n      Integrated Financial System Updates\n       Are Improving System Security, but\n   Remaining Weaknesses Should Be Addressed\n\n                                              March 28, 2013\n                            Reference Number: 2013-20-030\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined\n                     to be restricted from public release has been redacted from this document.\n\x0c                              Table of Contents\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...........                                                     4\nAudit Objective\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                         9\nResults of Review\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                                       10\n  IFS Updates Address Compliance and Specific Security Weaknesses..................................   11\n  Remaining IFS Security Issues Should Be Addressed\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                              12\n        Recommendations 1 and 2\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                          16\n        Recommendation 3:\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                         19\n        Recommendation 4:\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                            21\n  Systems Requirements Testing Processes Did Not Consistently Comply With Guidelines\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6               22\n        Recommendation 5:\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..........                                     24\n        Recommendation 6:\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                           26\nAppendices\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                             27\n  Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                            27\n  Appendix II \xe2\x80\x93 Major Contributors to This Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                31\n  Appendix III \xe2\x80\x93 Report Distribution List\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                     32\n  Appendix IV \xe2\x80\x93 Glossary of Terms\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                          33\n  Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                             35\n\x0c                  Abbreviations\nAbbreviation                              Description\n    CFO        Chief Financial Officer\n    CTO        Chief Technology Officer\n    ECC        Enterprise Central Component\n    FIPS       Federal Information Processing Standards\n    IFS        Integrated Financial System\n    IRM        Internal Revenue Manual\n    IRS        Internal Revenue Service\n   NIST        National Institute of Standards and Technology\n    PII        Personally Identifiable Information\n    RBD        Risk-Based Decision\n    SAP        Systems Applications and Products\n    SNC        Secure Network Connection\n    SSN        Social Security Number\n    SSP        System Security Plan\n\x0c                               Background\n\xef\x81\xb1   In November 2004, the Internal Revenue Service (IRS) replaced the\n    Automated Financial System with the Integrated Financial System (IFS).\n    The IFS is the IRS\xe2\x80\x99s core financial system and annually accounts for\n    approximately $12 billion in operational funds.\n\xef\x81\xb1   The IFS was implemented as a major project under the Business Systems\n    Modernization Program and supports the IRS\xe2\x80\x99s administrative financial\n    operations.\n\xef\x81\xb1   In November 2005, the IFS was reclassified as Operations and\n    Maintenance funding.\n\xef\x81\xb1   The IFS has 24 custom interfaces with systems belonging to the IRS,\n    Department of the Treasury, and General Services Administration. The\n    IFS Data Transfer Service uses these interfaces to transport data files in and\n    out of the IFS.\n\n\n\n\n                                                                                     4\n\x0c\xef\x81\xb1   The IFS provides processes and reports (Figure 1) for the following:\n    \xef\x81\xb1   General ledger, accounts receivables, and accounts payable\n        (Financial Accounting module).\n    \xef\x81\xb1   Budget execution (Funds Management module).\n    \xef\x81\xb1   Cost accounting (Controlling module).\n    \xef\x81\xb1   Purchasing (Materials Management and Purchasing module).\n    \xef\x81\xb1   Budget formulation (Business Warehouse module).\n\xef\x81\xb1   IFS management stated that the system does not process or report on the\n    IRS\xe2\x80\x99s tax revenues and refunds. 1\n\n\n\n\n_________________________\n\n1 The IFS provides some tax processing functionality for Health Coverage Tax Credit payments.\n                                                                                                5\n\x0c                                        Figure 1: Overview of IFS Processes\n                                                                  Budget\n                                                                Formulation\n                                                          $                                                                            Processe\n        THE INTEGRATED                                                                                                          KEY:       s\n                                                                                                                                                   Interface\n                                                                                                                                                       s\n         THE  INTEGRATED\n            SYSTEM\n              SYSTEM                                                                                                                   Bold = SAP module\n\n\n                                                                                                                               User\n                                                                 Budget                                                        Fees\n                                                                                                Reimbursable\n       SPENDING AUTHORITY/                                      Execution                        Agreements\n                                                                                                                                                     PCC\n            RECEIPTS\n                                                              (Funds Management)                    (FM)\n                                                                     (FM)\n\n\n\n\n                                             Req to Check/IPAC                        Tax & Travel\n         OBLIGATIONS/\n                                              (FM, MM, AP, AR)                        (FM, AP, AR)\n         EXPENDITURES\n                                                                  Pay\n                                                                   to    $\n                                                                                                           GovTrip\n                              RTS/IPS\n                                                                                                            -TRAS\n\n                                        Accrual entries                                     Accounting balance\n                                        Payroll                                                        analysis\n                                        processing                                            Month end close\n                                        Reconciliation\n                                        FTLRF\n                                                                                                Year end close\n                                                                                                      Financial\n                                                                                                                                          Cost\n       ACCOUNTING FUNCTIONS             UCEF                                                        statements                         Management\n                                        HCTC                                                               Tier\n                                        Fixed Assets                                             Other reports                            (CO)\n                                        Other entries\n\n\n\n\n                                                                                                                        Business\n                                                                  HCTC          TIER          AINFC                    Warehouse                      HR\n                                                                                                                          Cash                            ct\n                                                                                                                                                    Conne\n                                                                                                                     reconciliation\n                                                                                                                         Payroll\n                                                                                                                      reconiliation\n                                                                                                                       OSL report\n               Year End Close\n                                                               Month End Close\n               Open New Year                                   (MM, AR, AP, FM, GL)\n               (MM, AR, AP, Tier)\n                                                                                                                        GOALS\n\n\n\nSource: Office of the Chief Financial Officer. AINFC = Automated Interface National Finance Center; AP = Accounts Payable;\nAR = Accounts Receivable; FM = Funds Management; FTLRF = Federal Tax Lien Revolving Fund; GL = General Ledger;\nGOALS = Government On-Line Accounting Link System; HCTC = Health Coverage Tax Credit; HR = Human Resources;\nIPAC = Intra-Governmental Payment and Collection; IPS = Integrated Procurement System; MM = Materials Management;\nOSL = Obligation Subsidiary Ledger; PCC = Paper-Check Conversion; RTS = Request Tracking System; SAP = Systems\nApplications and Products; TRAS = Travel Reimbursement & Accounting System; and TIER = Treasury Information Executive\nReporting; UCEF [sic] = UCFE = Unemployment Compensation for Federal Employees.\n                                                                                                                                                               6\n\x0c\xef\x81\xb1   The Office of the Chief Financial Officer (CFO) and the Information\n    Technology organization, Applications Development Office, share dual\n    responsibility over IFS operations.\n\xef\x81\xb1   The IFS uses a version of software that is more than 10 years old.\n    Beginning in Fiscal Year 2011, the vendor ceased providing new changes\n    to accommodate new legislative or Federal accounting requirements.\n\xef\x81\xb1   The vendor provided only customer-specific support, charging maintenance\n    to keep the outdated version operational. Thus, the IRS is paying a\n    premium to maintain the IFS and, if successful, the updates will allow the\n    IRS to reduce maintenance costs.\n\xef\x81\xb1   During Fiscal Year 2011, the IRS established an extended agreement\n    with the vendor to provide necessary maintenance support through\n    January 2013.\n\n\n\n\n                                                                                 7\n\x0c\xef\x81\xb1   For Fiscal Years 2012 and 2013, the IRS requested nearly $37.5 million\n    to fully upgrade the IFS software.\n\xef\x81\xb1   The proposed IFS upgrade was not fully funded; however, the IRS received\n    approximately $10.5 million for specific IFS updates.\n\xef\x81\xb1   These IFS updates include:\n    \xef\x81\xb1   Systems Applications and Products (SAP) Netweaver Single Sign-On Secure\n        Network Connection (SNC) to encrypt graphical user interface traffic.\n    \xef\x81\xb1   SAP 4.6C to Enterprise Central Component (ECC) 6.0 establishing the current\n        technology platform with functional enhancements.\n    \xef\x81\xb1   The Internet Payment Platform, a Department of the Treasury mandate for all\n        Federal agencies, to be implemented in conjunction with SAP ECC 6.0.\n\xef\x81\xb1   The IRS is considering additional IFS modifications, which were part of\n    the $37.5 million full system upgrade request, if funding is approved. This\n    would include budget formulation and reimbursable systems modules and\n    integrating the IFS with the Integrated Procurement System.\n                                                                                      8\n\x0c                           Audit Objective\n\xef\x81\xb1   Determine whether the IRS has adequately planned for IFS updates to\n    support long-term goals and to mitigate risks in accordance with the\n    Department of the Treasury, IRS, and other systems development\n    guidelines.\n    \xef\x81\xb1   Determine whether the IFS Project Management Office has established\n        key management controls and processes in accordance with systems\n        development guidelines.\n    \xef\x81\xb1   Determine whether project funding for the IFS update is current,\n        accurate, and complete.\n    \xef\x81\xb1   Determine if the IFS includes adequate security controls to address\n        system security risks prior to deployment of the updates.\n\n\n\n\n                                                                              9\n\x0c                       Results of Review\n\xef\x81\xb1   IFS Updates Address Compliance and Specific Security Weaknesses\n    (see slide 11).\n\xef\x81\xb1   Remaining IFS Security Issues Should Be Addressed\n    (see slides 12 through 21).\n\xef\x81\xb1   Systems Requirements Testing Processes Did Not Consistently Comply\n    With Guidelines (see slides 22 through 26).\n\n\n\n\n                                                                         10\n\x0c                 IFS Updates Address Compliance\n                 and Specific Security Weaknesses\n\xef\x81\xb1   The IFS updates management team established the Project Tailoring Plans\n    and issued systems development plans covering key processes.\n\xef\x81\xb1   Funding amounts were documented for each of the IFS updates.\n\xef\x81\xb1   In July 2012, the IRS implemented the SAP SNC, providing for data\n    encryption and eliminating security weaknesses in the Citrix and IFS\n    Windows 2000 environments no longer supported by the vendor.\n\xef\x81\xb1   The IRS reported a cost savings of approximately $1 million per year for\n    technical support resulting from eliminating the Citrix servers.\n\xef\x81\xb1   With successful implementation of SAP ECC 6.0, the IRS stated that the\n    IFS will be in compliance with current Federal laws and accounting\n    standards and will address the security weakness related to Oracle database\n    software that is no longer supported by the vendor.\n\n\n\n\n                                                                               11\n\x0c                    Remaining IFS Security Issues\n                       Should Be Addressed\n\nIFS users have access to Personally Identifiable Information (PII)\nwithout a business need\n\xef\x81\xb1   The Office of Management and Budget and the Internal Revenue Manual\n    (IRM) 10.5.1. require that unique identifiers be used in place of Social\n    Security Numbers (SSN) on systems, where possible, to prevent\n    unnecessary disclosure of PII.\n\xef\x81\xb1   The IRM also requires that individuals with access to sensitive data,\n    including SSNs and PII, have a \xe2\x80\x9cneed to know\xe2\x80\x9d based upon the\n    performance of their job duties and receive managerial authorization for\n    system access.\n\n\n\n\n                                                                               12\n\x0c\xef\x81\xb1   IFS screens display SSNs in clear text, along with associated PII.\n    Approximately 320 IFS users access the system using SSNs to perform\n    vendor and document analysis as part of their IFS duties.\n    \xef\x81\xb1   Further, currently there are approximately eight IFS users who have access to\n        this information, even though it is not part of their IFS duties.\n    \xef\x81\xb1   In May 2012, the CFO and the Chief Technology Officer (CTO) drafted a Risk-\n        Based Decision (RBD) and Plan of Action and Milestones to address this\n        weakness and are awaiting stakeholders\xe2\x80\x99 comments.\n    \xef\x81\xb1   Based on discussions, the IRS proposed a short-term solution to review and\n        remove users who do not have a \xe2\x80\x9cneed to know\xe2\x80\x9d by March 2013, after\n        deployment of the IFS update.\n    \xef\x81\xb1   The IRS also proposed a long-term solution that will require changes to the IFS\n        screens by limiting the number of authorized users and masking of the SSNs;\n        however, this solution will require additional time beyond March 2013 and\n        additional funding.\n\n\n                                                                                        13\n\x0c                                                                                                     2\n\xef\x81\xb1   In addition, 110 IFS users have access to the 1099 and W-2 system data\n    for some IRS employees and vendors, but reasonable access control checks\n    are not in place, such as those that would identify or prevent a user viewing\n    another IRS employee\xe2\x80\x99s tax information. Specific types of employee tax\n    information include long-term travel and tuition assistance payments.\n    \xef\x81\xb1   IFS management stated that the potential for inappropriate use is low as the data\n        do not include taxable earnings; therefore, no corrective actions were taken.\n        We maintain that any inappropriate access is unacceptable.\n    \xef\x81\xb1   Following audit discussions, the CFO initiated plans to look at the business\n        process impacts of implementing changes after the IFS update deployment.\n        Until this analysis can be conducted, the CFO has accepted the risk and plans to\n        establish an RBD.\n\n\n\n\n_________________________\n\n2 The 1099 system includes information from various versions of Forms 1099 used to report types of\nincome such as interest, dividends, and miscellaneous income. The W-2 system includes information\n                                                                                                         14\nfrom Forms W-2, Wage and Tax Statement.\n\x0c\xef\x81\xb1   The loss, theft, or unauthorized disclosure of PII places individuals at risk\n    for identity theft and invasion of privacy. The proper protection of PII\n    helps maintain system integrity and the IRS\xe2\x80\x99s reputation for privacy\n    protection, which are critical for the IRS to perform its mission.\n\xef\x81\xb1   Management Action: After we advised the CFO staff that there were an\n    unknown number of IFS users with access to PII, they performed an\n    analysis to determine which users should not have access to PII.\n\n\n\n\n                                                                                    15\n\x0c                             Recommendations\n\n\xef\x81\xb1   Recommendation 1: The CTO should work with the CFO to implement\n    access controls necessary to ensure that IFS users are adequately restricted\n    from IRS employee sensitive data, including SSNs and PII, until the\n    planned long-term solution can be implemented.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The IRS will review IFS access to IRS employee\n        sensitive data, including SSNs and PII, and restrict access to only those\n        users with a \xe2\x80\x9cneed to know.\xe2\x80\x9d\n\xef\x81\xb1   Recommendation 2: The CTO should work with the CFO to either\n    implement access control checks to prevent IFS users from accessing\n    unauthorized IRS employee accounts or to appropriately document this\n    risk.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The IRS will conduct an analysis and remove users\n        who do not have a \xe2\x80\x9cneed to know\xe2\x80\x9d and evaluate the identified low risk\n        to determine if an RBD is needed.\n                                                                                    16\n\x0cSAP SNC is FIPS 140-2 compliant but not yet certified for validation\n\xef\x81\xb1   The Federal Information Processing Standards (FIPS) Publication 140-2,\n    Security Requirements for Cryptographic Modules, specifies security\n    requirements when cryptographic modules are used within a security\n    system protecting sensitive information.\n\xef\x81\xb1   The National Institute of Standards and Technology (NIST) recommends\n    and IRM 10.8.1. requires that the IRS use only cryptographic modules that\n    have been validated in accordance with FIPS 140-2 or later.\n\xef\x81\xb1   Protection of a cryptographic module within a security system is critical to\n    maintain the confidentiality and integrity of the information protected by\n    the modules.\n\xef\x81\xb1   On March 19, 2012, the Office of the CFO and the Information Technology\n    organization (formally known as Modernization and Information\n    Technology Services) both signed an RBD stating that implementation of\n    the SAP SNC solution would strengthen the system\xe2\x80\x99s internal controls.\n\n                                                                                   17\n\x0c\xef\x81\xb1   On June 16, 2012, the IRS deployed the SAP SNC solution, replacing the\n    outdated Citrix software, for the IFS. However, IFS management informed\n    us that the new solution is FIPS 140-2 compliant but not yet certified for\n    validation.\n\xef\x81\xb1   During development and testing of the new SAP software, the Office of the\n    CFO received a waiver from the Enterprise Architecture Office to operate\n    the IFS, but production deployment was contingent upon obtaining the\n    certification.\n\xef\x81\xb1   IFS management stated that the cryptographic module will be FIPS 140-2\n    certified with the next version of the IFS, approximately late in 2013, after\n    deployment of the IFS update.\n\xef\x81\xb1   If requirements are not followed, the IFS will not comply with NIST and\n    IRS standards to adequately protect and reduce serious risk that includes\n    unauthorized access or loss of sensitive data.\n\n\n                                                                                    18\n\x0c                             Recommendation\n\xef\x81\xb1   Recommendation 3: The CTO should work with the CFO to update and\n    document the status in the System Security Plan (SSP) as FIPS 140-2\n    certified with the next version of the IFS in Fiscal Year 2013.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. SAP and NIST test centers have notified the IRS that\n        the FIPS 140-2 certification of the SNC module will be completed in late\n        2013. Once certification is completed, the IFS will implement the new\n        version of the SNC.\n\n\n\n\n                                                                              19\n\x0cThe IFS does not yet provide for multifactor authentication\n\xef\x81\xb1   The NIST recommends user identities be authenticated through the use of\n    passwords, tokens, biometrics, or a combination thereof. Based upon this\n    criteria, multifactor authentication for systems administration access is\n    required for the IFS.\n\xef\x81\xb1   The IFS SSP states that the IFS relies on the Modernization and\n    Information Technology Services General Support System-18 for\n    identification and authentication. However, General Support System-18\n    does not support multifactor authentication of system administrators.\n\xef\x81\xb1   The IRS has recognized that deployment of two-factor authentication is a\n    program-level control weakness and plans to implement two-factor\n    authentication as part of an enterprise solution.\n\xef\x81\xb1   If the IRS does not provide multifactor authentication for IFS system\n    administrators, this could result in the reliance on outdated, insecure\n    password authentication for network and local authentication used to\n    protect sensitive data, including SSNs and PII.\n                                                                                20\n\x0c                              Recommendation\n\n\xef\x81\xb1   Recommendation 4: The CTO should work with the CFO to implement\n    two-factor authentication and, in the short term, identify compensating\n    authentication controls for IFS system administrators.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The CTO will ensure that the IFS is included in the\n        current program-level mitigation strategy to implement two-factor\n        authentication and identify a form of multifactor authentication for IFS\n        system administrators.\n\n\n\n\n                                                                                   21\n\x0c              Systems Requirements Testing Processes\n             Did Not Consistently Comply With Guidelines\n\nNot all test cases included expected results\n\xef\x81\xb1   IRM 2.6.1 requires that test cases should be developed to support\n    requirements testing. Test cases should include requirements being tested\n    and the expected results.\n\xef\x81\xb1   During testing for IFS system updates, the expected results in the test cases\n    should be compared to the actual results observed by the tester to determine\n    whether the requirements were sufficiently tested.\n                                           3\n\xef\x81\xb1   We judgmentally sampled and reviewed 10 of the 363 total IFS system\n    update requirements to determine whether test cases were properly\n    developed in accordance with IRM 2.6.1. We selected seven functional\n    and three security requirements to represent the different types of IFS\n    requirements.\n\n\n_________________________\n\n3 A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the\npopulation. Judgmental sampling was used because we did not intend to project our results.                22\n\x0c\xef\x81\xb1   The 10 sampled requirements related to four test cases. The test cases did\n    not always include the expected results, and one test case only included\n    expected results for one of 15 test steps.\n\xef\x81\xb1   IFS management informed us that the expected results for the four test\n    cases included a spreadsheet of budget figures that was too large to attach\n    to the test cases.\n\xef\x81\xb1   As a result, IFS testers needed to obtain information outside the approved\n    test cases to verify that the requirements were tested.\n\xef\x81\xb1   When expected results are not fully presented in test cases, the risk of\n    accepting inadequate test results increases, which could adversely affect\n    IFS functionality.\n\n\n\n\n                                                                                  23\n\x0c                              Recommendation\n\n\xef\x81\xb1   Recommendation 5: The CTO should work with the CFO to ensure\n    that all applicable IFS test cases include expected results to validate that\n    systems requirements were sufficiently tested.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The Enterprise System Test group will implement\n        standard processes and tools for Systems Acceptance Testing in\n        accordance with soon-to-be issued IRM changes. The Enterprise\n        System Test group is working to link its Rational Quality Manager to\n        the RequisitePro requirements repository so that full requirements test\n        management can be adequately and accurately documented.\n\n\n\n\n                                                                                   24\n\x0cTesters did not always obtain documentation to validate the actual test\nresults\n\xef\x81\xb1   IRM 2.6.1. requires that testers obtain and maintain evidence to validate the\n    actual test results, which could include computer screen prints, input and\n    output data files, and system logs.\n\xef\x81\xb1   The testers did not always obtain and maintain documentation for four of\n    10 sampled requirements to validate the actual test results.\n\xef\x81\xb1   IFS management did not ensure that testers consistently followed IRM\n    guidelines to obtain and maintain objective evidence, such as screen prints,\n    to verify that requirements were sufficiently tested.\n\xef\x81\xb1   If the documents used to verify actual test results are not available, then the\n    IRS cannot verify the adequacy of its systems testing activities. This\n    increases the risks of adverse impact on the functionality of the IFS.\n\n\n\n                                                                                  25\n\x0c                             Recommendation\n\n\xef\x81\xb1   Recommendation 6: The CTO should work with the CFO to ensure that\n    all IFS testers obtain and maintain documentation to verify actual test case\n    results.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The EST group will implement standard processes\n        and tools for SAT testing in accordance with soon-to-be-issued IRM\n        changes. EST is working to link its RQM to the RequisitePro\n        requirements repository so that full requirements test management can\n        be adequately and accurately documented.\n\n\n\n\n                                                                                26\n\x0c                                                                                 Appendix I\n                            Detailed Objective,\n                          Scope, and Methodology\n\xef\x81\xb1   Overall Objective: Determined whether the IRS had adequately planned for IFS\n    updates to support long-term goals and to mitigate risks in accordance with\n    Department of the Treasury, IRS, and other systems development guidelines.\n\xef\x81\xb1   Determined whether the IFS Project Management Office had established key\n    management controls and processes in accordance with Department of the Treasury,\n    IRS, and other systems development guidelines. We considered the following\n    program and project controls for the IFS:\n    \xef\x81\xb1   Applicable guidance from Department of the Treasury, IRS, and SAP best\n        practices.\n    \xef\x81\xb1   Established plans with the Integrated Procurement System.\n    \xef\x81\xb1   Integrated master schedules, work breakdown structures, and schedules.\n    \xef\x81\xb1   Program and project charters.\n    \xef\x81\xb1   Program and project management plans.\n    \xef\x81\xb1   Risk and issue management plans.\n    \xef\x81\xb1   Requirements management plans.\n\n\n                                                                                       27\n\x0c                                                                               Appendix I\n\n\n\n\n    \xef\x81\xb1   Configuration and change management plans.\n    \xef\x81\xb1   Test management plans.\n    \xef\x81\xb1   Human resources.\n\xef\x81\xb1   Considered project funding for the IFS update by reviewing:\n    \xef\x81\xb1   Estimated costs and benefits and supporting documentation.\n    \xef\x81\xb1   Cost tracking mechanisms for IFS update.\n    \xef\x81\xb1   Contract management practices including task order for the project.\n\xef\x81\xb1   Reviewed security controls identified in the SSP.\n    \xef\x81\xb1   Determined whether the IFS SSP includes adequate security controls for the\n        system updates.\n    \xef\x81\xb1   Determined whether all security and privacy requirements were adequate.\n    \xef\x81\xb1   Determined whether all security risks were adequately addressed.\n\n\n\n\n                                                                                     28\n\x0c                                                                               Appendix I\n\n\n\n\n\xef\x81\xb1   This review was performed at the Office of the CFO and Information Technology\n    organization in New Carrollton, Maryland, from July through October 2012.\n\xef\x81\xb1   We conducted this performance audit in accordance with generally accepted\n    government auditing standards, which require that we plan and perform the audit\n    to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n    findings and conclusions based on our audit objective. We believe that the\n    evidence obtained provides a reasonable basis for our findings and conclusions\n    based on our audit objective.\n\n\n\n\n                                                                                       29\n\x0c                                                                                  Appendix I\n\n\n\n\nInternal Controls Methodology\n\xef\x81\xb1   Internal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to\n    meet their mission, goals, and objectives. Internal controls include the processes\n    and procedures for planning, organizing, directing, and controlling program\n    operations. They include the systems for measuring, reporting, and monitoring\n    program performance.\n\xef\x81\xb1   We determined the following internal controls were relevant to our audit objective:\n    NIST Special Publication 800-53, the IRM, and related systems development\n    guidelines applicable to the IFS.\n\xef\x81\xb1   We evaluated these controls by conducting interviews with management and staff\n    from both the Office of the CFO and the Information Technology organization and\n    reviewing relevant policies and procedures for the IFS update.\n\xef\x81\xb1   Documents reviewed included the IFS Project Management Plan, the IFS\n    Application SSP, and other documents that provided evidence of whether the IRS\n    has adequately planned for IFS updates to support long-term goals and to mitigate\n    risks.\n\n\n                                                                                          30\n\x0c                                                                              Appendix II\n                   Major Contributors to This Report\n\n\xef\x81\xb1   Alan R. Duncan, Assistant Inspector General for Audit (Security and Information\n    Technology Services)\n\xef\x81\xb1   Gwendolyn McGowan, Director\n\xef\x81\xb1   Suzanne Westcott, Audit Manager\n\xef\x81\xb1   Louis Lee, Acting Audit Manager\n\xef\x81\xb1   Cari Fogle, Senior Auditor\n\xef\x81\xb1   Wallace Sims, Senior Auditor\n\xef\x81\xb1   Trisa Brewer, Auditor\n\n\n\n\n                                                                                      31\n\x0c                                                                              Appendix III\n                             Report Distribution List\n\n\xef\x81\xb1   Acting Commissioner C\n\xef\x81\xb1   Office of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\n\xef\x81\xb1   Deputy Commissioner for Operations Support OS\n\xef\x81\xb1   Deputy Commissioner for Services and Enforcement SE\n\xef\x81\xb1   Chief Financial Officer OS:CFO\n\xef\x81\xb1   Deputy Chief Information Officer for Operations OS:CTO\n\xef\x81\xb1   Associate Chief Information Officer, Applications Development OS:CTO:AD\n\xef\x81\xb1   Chief Counsel CC\n\xef\x81\xb1   National Taxpayer Advocate TA\n\xef\x81\xb1   Director, Office of Legislative Affairs CL:LA\n\xef\x81\xb1   Director, Office of Program Evaluation and Risk Analysis RAS:O\n\xef\x81\xb1   Office of Internal Control OS:CFO:CPIC:IC\n\xef\x81\xb1   Director, Privacy, Governmental Liaison, and Disclosure OS:P\n\xef\x81\xb1   Audit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n                                                                                     32\n\x0c                                                                                                      Appendix IV\n                                       Glossary of Terms\n\nTerm                                                         Definition\nCryptographic           The art of writing or deciphering messages in code.\nEncryption              The process of making data unreadable by other humans or computers for the purpose of\n                        preventing others from gaining access to its contents.\nFederal Information     A set of standards that describe document processing, encryption algorithms, and other\nProcessing              information technology standards for use within nonmilitary Government agencies and\nStandards               by Government contractors and vendors who work with the agencies.\nGeneral Support         The system provides appropriately identified, authenticated, and authorized user access\nSystem-18               to tax administration business applications and provides those tax administration\n                        business applications access to data stores containing business records.\nIntegrated              An Office of Management and Budget reported Financial Management System and a\nProcurement             procurement system used to track obligations, create solicitations and awards, handle\nSystem                  vendor files, and generate reports.\nInterface               A point at which independent systems interact.\nMultifactor             Multifactor authentication is achieved by combining two or three independent\nAuthentication          credentials: what the user knows (password/Personal Identification Number), what the\n                        user has (security token security or smart card), and what the user is (biometric\n                        verification).\nNational Institute of   A nonregulatory Federal agency within the Department of Commerce that is responsible\nStandards and           for developing standards and guidelines, including minimum requirements, for providing\nTechnology              adequate information security for all Federal Government agency operations and assets.\n                                                                                                                 33\n\x0c                                                                                                       Appendix IV\n                                      Glossary of Terms\n\nTerm                                                         Definition\nPersonally            Information that can be used to uniquely identify, contact, or locate a single individual or\nIdentifiable          that can be used with other sources to uniquely identify a single individual.\nInformation\nPlan of Action and    A management process that outlines weaknesses and delineates the tasks necessary to\nMilestones            mitigate them.\nRequirement           A formalization of a need and statement of a capability or condition that a system must\n                      have or meet to satisfy a contract, standard, or specification.\nRisk-Based Decision   NIST 800-53 and IRM 10.8.1 guidance allows Designated Approving Authorities to\n                      tailor security control baselines for their systems using a cost-effective, risk-based\n                      approach.\nTest Case             A test case is created to specify and document the conditions to be tested and to validate\n                      that system functions meet requirements as translated into documented functional design.\n                      A test case also tests outside the normal or expected functions in order to find defects.\nTwo-Factor            Two-factor authentication is a security process in which the user provides two means of\nAuthentication        identification, one of which is typically a physical token, such as a card, and the other of\n                      which is typically something memorized, such as a security code. This type of\n                      authentication method also meets the definition of multifactor authentication.\nValidation            Verification that something is correct or conforms to a certain standard.\n\n\n\n                                                                                                                34\n\x0c                                                     Appendix V\n            Management\xe2\x80\x99s Response\n              to the Draft Report\n\n\n\n\nManagement\xe2\x80\x99s complete response to the draft report\n     is included beginning on the next page.\n\n\n\n\n                                                           35\n\x0c36\n\x0c37\n\x0c38\n\x0c39\n\x0c'